#!/bin/bash
# Operating system baseline reinforcement
# For Centos 7.x or Rhel 7.x

source /etc/init.d/functions
ag_server="192.168.1.254"
ag_subnet="172.16.0.0/24"
read -p "Please input new sudoer password:" mypasswd

# Print some result
function printR() {
  if [ "$1" -eq 0 ]; then
    action "$2" /bin/true
  else
    action "$2" /bin/false
  fi
}

# Add sudo users
function addSudoer() {
  egrep "devops" /etc/group &>/dev/null
  if [ "$?" -eq "0" ]; then
    printR 0 'group exist'
  else
    groupadd devops &>/dev/null
    printR $? 'add group'
  fi

  id zhaohlsky &>/dev/null
  if [ "$?" -eq "0" ]; then
    usermod -g devops zhaohlsky &>/dev/null
    printR $? 'user add'
  else
    useradd -g devops zhaohlsky &>/dev/null
    printR $? 'user add'
  fi

  echo zhaohlsky:${mypasswd} | chpasswd
  cat > /etc/sudoers.d/devops<<'EOF'
%devops        ALL=(ALL)       ALL
EOF
  myR=$?
  printR $myR 'add sudoer'
  return $?
}

# Sshd service improvement
function sshConfig() {
  \cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak && \
  sed -ir 's#.*UseDNS.*##g' /etc/ssh/sshd_config && \
  sed -ir '1i\UseDNS no' /etc/ssh/sshd_config && \
  sed -ir 's#.*GSSAPIAuthentication.*##g' /etc/ssh/sshd_config && \
  sed -ir '1i\GSSAPIAuthentication no' /etc/ssh/sshd_config && \
  sed -ir 's#.*PermitRootLogin.*##g' /etc/ssh/sshd_config && \
  sed -ir '1i\PermitRootLogin no' /etc/ssh/sshd_config && \
  sed -ir '/^$/d' /etc/ssh/sshd_config && \
  systemctl restart sshd

  myR=$?
  printR $myR 'sshd config'
  return $?
}

# Login failure lock
function failLockConfig() {
  sed -ir 's#.*pam_tally.so.*##g' /etc/pam.d/system-auth && \
  echo "account     required      pam_tally.so even_deny_root unlock_time=300 deny=3" >> /etc/pam.d/system-auth && \
  sed -ir '/^$/d' /etc/pam.d/system-auth

  myR=$?
  printR $myR 'fail lock config'
  return $?
}


# Password expiration policy
function passConfig() {
  sed -ir 's#.*PASS_MAX_DAYS.*##g' /etc/login.defs && \
  sed -ir '1i\PASS_MAX_DAYS  1800' /etc/login.defs && \
  sed -ir 's#.*PASS_MIN_DAYS.*##g' /etc/login.defs && \
  sed -ir '1i\PASS_MIN_DAYS  1' /etc/login.defs && \
  sed -ir 's#.*PASS_WARN_AGE.*##g' /etc/login.defs && \
  sed -ir '1i\PASS_WARN_AGE  28' /etc/login.defs && \
  sed -ir '/^$/d' /etc/login.defs

  myR=$?
  printR $myR 'passwd validity config'
  return $?
}

# Please be careful, firewall strategy, etc
function checkService() {
  systemctl enable rsyslog.service --now && \
  systemctl enable auditd.service --now && \
  systemctl disable firewalld && \
  systemctl stop firewalld
  #systemctl enable firewalld --now
  #firewall-cmd --set-default-zone=work
  #firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="$ag_server" port port="22" protocol="tcp" accept" --zone=work
  #firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="$ag_subnet" port port="22" protocol="tcp" accept" --zone=work
  #firewall-cmd --remove-service=ssh --permanent
  #firewall-cmd --remove-port=22/tcp --permanent
  #firewall-cmd --reload

  myR=$?
  printR $myR 'check some services'
  return $?
}

# Console timeout
function setTimeOut() {
  sed -ir 's#.*TMOUT.*##g' /etc/profile && \
  sed -ir '$a\TMOUT=600' /etc/profile

  myR=$?
  printR $myR 'set ssh timeout'
  return $?
}


# Password strength modification
function pwQualityConfig() {
  sed -ir 's#.*minlen.*##g' /etc/security/pwquality.conf && \
  sed -ir 's#.*dcredit.*##g' /etc/security/pwquality.conf && \
  sed -ir 's#.*ucredit.*##g' /etc/security/pwquality.conf && \
  sed -ir 's#.*lcredit.*##g' /etc/security/pwquality.conf && \
  sed -ir 's#.*ocredit.*##g' /etc/security/pwquality.conf && \
  sed -ir '$a\minlen=6' /etc/security/pwquality.conf && \
  sed -ir '$a\dcredit=-1' /etc/security/pwquality.conf && \
  sed -ir '$a\ucredit=-1' /etc/security/pwquality.conf && \
  sed -ir '$a\lcredit=-1' /etc/security/pwquality.conf && \
  sed -ir '$a\ocredit=-1' /etc/security/pwquality.conf && \
  sed -ir '/^$/d' /etc/security/pwquality.conf

  myR=$?
  printR $myR 'passwd quality config'
  return $?
}

# 
function denyUserSu() {
  sed -ir 's#.*pam_wheel.*##g' /etc/pam.d/su && \
  sed -ir '$a\auth            sufficient      pam_wheel.so trust use_uid' /etc/pam.d/su && \
  sed -ir '$a\auth            required        pam_wheel.so use_uid' /etc/pam.d/su && \
  sed -ir '/^$/d' /etc/pam.d/su

  myR=$?
  printR $myR 'deny use cmd-su'
  return $?
}


# Control users who log in Using SSH services
function accessConfig() {
  sed -ir 's#.*pam_access.*##g' /etc/pam.d/sshd && \
  sed -ir '/pam_nologin/a\account    required     pam_access.so' /etc/pam.d/sshd && \
  echo '#'>/etc/security/access.conf && \
  #echo '+:root:ALL'>>/etc/security/access.conf && \
  echo '+:(devops):ALL'>>/etc/security/access.conf && \
  echo '-:ALL:ALL'>>/etc/security/access.conf && \

  myR=$?
  printR $myR 'access control config'
  return $?
}

#
function main() {
  addSudoer
  sshConfig
  failLockConfig
  passConfig
  checkService
  setTimeOut
  pwQualityConfig
  denyUserSu
  accessConfig
}

main

